Eyes on Spies

By Aliya Sternstein

October 1, 2012

At the National Security Agency, compliance with information-sharing policies and privacy laws means protecting civil liberties. That’s where John DeLong comes in. In 2009, he filled a new position at NSA: compliance director. The gig involves coordinating with analysts throughout the chain of command to pre-empt potential violations, as well as cooperating with other NSA oversight managers to avoid stepping on toes.

“We’re nothing if we lose the confidence of the American people,” DeLong says. “The creation of this position is a very outward sign of an inward focus—a focus that existed before the creation of my position. We’re constantly learning. We’re constantly trying to draw best practices externally, and . . . we’re trying to also contribute and be part of that discussion about compliance best practices.”

DeLong, 37, also must ensure inanimate surveillance tools follow the rules. Seems like that should be a breeze for a man who holds degrees in law, physics and math from Harvard University. Government Executive recently sat down with DeLong to find out. The following are edited excerpts from that conversation.

Q: Critics have accused NSA of being a rogue organization doing its own thing. But there are checks and balances for collecting U.S. communications, correct?

A: We are not a free agent that’s just out there, waking up and deciding what to do every day. We are really heavily regulated both by requirements that come in—a majority of them externally—and then also very specific authorizations. We have to make sure those authorizations pass from human to human and from machine to machine very carefully.

Q: The Defense Department already had an inspector general, and NSA had a privacy officer. What were you brought in to do that was different?

A: We work with the inspector general, and we both focus on safeguards around the underlying laws and policy. A privacy officer might be more in the policy space trying to make sure the fundamental legal and policy rules themselves are protective of privacy. The compliance folks then are really focused on bringing those rules to life. We very much are in the training cycles. We’re in the building of systems. We’re in the certification of systems.

From the perspective of an analyst or a person who builds technology it could sometimes look like a spaghetti bowl of rules or organizations, but really I like to use the term ecosystem because when everyone plays their position here—when the lawyers provide the legal advice, when the policy folks provide that policy overlay, when the compliance folks are down proactively rolling our sleeves up and helping, and when the oversight is doing that independent oversight—it all kind of works together.

Q: What’s the biggest misperception citizens have about NSA’s surveillance powers? And what would you like to tell them to clear up that fallacy?

A: The ecosystem part. There is a tremendous amount of external oversight, ranging from executive branch, Department of Justice, Office of the Director of National Intelligence to Congress (the House Permanent Select Committee on intelligence and other committees), and then from the judicial branch with the Foreign Intelligence Surveillance Court.

Q: How do you help make sure everyone follows the rules?

A: I walk down the halls, knock on every door. That was a joke. The one thing I like to make sure is that people don’t think of compliance as just the people with clipboards who are sort of spying on the spies, or overseeing everything. We’re down with the technology folks, with the lawyers, with the analysts, with the people who make policy . . . making sure that a change in one area is synchronized with a change in another area.

Q: What steps do you take when a person is on the verge of invading someone’s civil liberties?

A: We want people to report. In fact they are under an obligation to report. What we find is really a systems view rather than a personal view. This is a tremendously complex environment, so when somebody does raise their hand on the assembly line and say, “Wait, I need some help here,” the first thing we’ll do is try to get a quick understanding of what’s involved. The second thing will be to actually mitigate any ongoing activity that might be noncompliant. We then sort of bifurcate and take two steps. One is we focus on the particular issue at hand, the other is we take a step back and really take a systems view versus a single person view.

Q: Former NSA officials have alleged the agency compiles dossiers on U.S. citizens. Does your job extend to protecting these whistleblowers?

A: [Our reporting] in the lingo, is known as intelligence oversight reporting. It’s really our way of allowing people to raise their hands . . . We use it really for trend analysis. The whistle-blowing is of a different nature and that’s not something my office would handle. That’s I believe more handled by the inspector general.

Q: You were previously a deputy director of the national cybersecurity division at the Homeland Security Department. Did the Pentagon want a civilian compliance director rather than a military officer?

A: I don’t think military or civilian was a factor. When I was “voluntold” to take this position, in fact, this was a position I was eager to step into. That may sound a little crazy. It had to do with the multiple perspectives. I spent a lot of my early years, with the physics and math degrees, doing a lot of technology and system development. I then went and got a law degree. So I put one foot into the legal world. At DHS, working on more programmatic things, I learned a lot of program management techniques from some of the great leaders down there. Whether I’m at NSA, DHS or whether I’m at an interagency forum, there’s really not a distinction about who cares about privacy more, who cares about privacy less.

Q: How do you make sure personnel are safeguarding data without slowing down investigations?

A: I wouldn’t use the term slow down. The name of the game is probably precision . . . In some cases, we literally have the legal and policy rules embedded in the technology such that the technology will only do those things. There are obviously some decisions that you can’t automate. You have to rely on a human for judgment. And we have lots of training. We have places where those decisions get double-checked, triple-checked, even quadruple-checked. I kid you not. And those are all commensurate with the import of that decision, how that decision percolates through the process.

Q: An inspector general typically checks periodically to make sure computer systems are compliant. Do you alternate with the IG on audits?

A: The path between the IG and me is well-worn. We’re always talking. We don’t get to dictate what they do. They don’t get to dictate what we do. But we do work together to make sure they are focused on maybe some deeper dives. Part of the benefit of being a compliance organization is we can make a one-week decision cycle, turn it around and make recommendations.